NSA has direct access to tech giants' systems for user data, secret files reveal

Discussion in 'privacy general' started by Dermot7, Jun 6, 2013.

  1. 142395

    142395 Guest

    It's the first case. And VM should prevent it in theory. But remember it is targeted attack. Targeted attack is, by definition, customized attack specifically crafted to penetrate the victim, and only the victim. I've seen many arguments that, if victim used product X they could avoid infection, but it's flawed logic and forgetting targeted attack's nature. It more likely means simply victim didn't use the product X so attacker didn't need to bypass it.
    (maybe off topic, but I tend to think VM is actually not as much secure as some people believe. They are not for security, and sometimes even designed w/out security in mind. It's the case in VBox, not only ASLR issue but they don't follow security standard process for vulnerability management (I forgot correct name of that). And there've been at least some serious vuln in VMs which let attacker bypass VM, or even gives system priv on host. VM is complex system w/ millions of code lines, has full of potential attack surface, but simply attacking VM is not cost-effective for most criminals. This will be main reason we haven't seen actual attack against VM.)
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
  3. 142395

    142395 Guest

    I personally think Qubes is much more secure than other VMs (or any OS on those VMs), it's not just compartmentalization but also trying to reduce attack surface as much as possible. So, to say the least, using Qubes will put quite high hurdle for attacker who're seeking to infect your firmware (but who knows what NSA can do?).
    Also, when we hear such story we tend to think firmware rootkit can do everything. But actually what firmware can do is limited by its nature, so they install other malware on OS. Even when firmware rootkit itself can't be detected, still those malware may be detected, or you may be protected to some extent. I don't think we can't be protected from firmware rootkit in anyway and any effort is futile. I didn't know Storage Domain mentioned in your link, very interesting (to be honest, not yet fully understood), tho reliance on TXT might be Achilles' heel when attacker is NSA. I wonder if InkTag can mitigate those threats or not, but it's beyond my expertise.
     
    Last edited by a moderator: Feb 18, 2015
  4. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    True story I am going to share. I've shared it in the past with multiple people, and even on my Facebook..

    A few years back when I worked as a contractor for a 'sensitive' firm I found what I thought at the time was malware on my home machines. The problem was I would remove it, and it would come back. I started wiping hard drives, and reinstalling windows, and it came back! Eventually I think I realized it was either Bios or HDD firmware that they were using to inject this. After much investigation we could only pin down the actual items being delivered, and things being altered, but not the delivery mechanism itself. When I contacted Panda Labs, and worked with them they 'speculated' it was something state sponsored, but didn't have any evidence to prove it. Eventually I had a stack of SEVEN hard drives at my home. I kept swapping them out for different brands until it stopped. Eventually coming to a brand that they seemed to not have the capability to infect. I reported my findings to several labs, including Panda at the time, and then forgot about all of this until recently..

    Also keep in mind, this means they can compromise SERVERS!
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,347

    I feel like trading my little tinfoil hat in for tinfoil full body armor!!
     
  6. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,630
    Location:
    DC Metro Area
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  8. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @ Mayahana

    Interesting account Indeed ! Several people over the years have also posted about similar experiences, on here & other www's. It was driving them almost crazy. They got a LOT of negative comments & insults etc. Of course we don't know if their issues were actually due to the NSA etc, but with all the recent Equation revelations, some infections "might" have been true !

    **********

    A stack of Equation's handywork here -http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3735&p=25276#p25276
     
  10. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Yes, and to add to the worries above, I'd also like to highlight something that's been giving me the collywobbles, and that's network adapter drivers and firmware. We know that some of the major companies involved have been attacked, and there are many things that could be done once you have control of the network adapter.
     
  11. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    Nah, network/drivers firmware is irrelevant. Storage firmware access and hidden OS port knocking sequence is all they need.
    As for the arstechnica article about not needing source code for making custom firmwares is total BS. To stay under the radar they must be 100% sure that the injected code won't disrupt normal functions of the disk and this can be guaranteed only if they have the source code; and the source code could be only obtained from cooperating manufacturers...No wonder that all these companies almost never release updates for firmware hdds...

    Panagiotis
     
  12. SnowFlakes

    SnowFlakes Registered Member

    Joined:
    Jun 29, 2011
    Posts:
    194
    I will never ever use Russian-Kaspersky on my PC ever again !!!

    Who knows what kind of spy files they have on my PC after i installed Russian-Kaspersky
     
  13. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    References? How does that get past conventional perimeter defences?
     
  14. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    It is another "urban leggend" that circulated from the late 90's about the microsoft OSes. Never proven but with the revelations of the last years and the recently patched vulnerability of the windows OSes https://www.wilderssecurity.com/thre...ion-on-win-10-using-window-scrollbars.373329/ "urban leggends" seem more real than leggends.
    How port knocking works
    http://netsecurity.about.com/cs/generalsecurity/a/aa032004.htm
    and some implementations
    http://wangzhengyuan.blogspot.gr/2014/02/port-knocking-implementations.html

    Panagiotis
     
  15. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Well, that's not true of hypervisors (I think I saw reference to about 100k for Xen in Qubes), and even with the fully-fledged type 2 VMs, I suspect most of the vulnerabilities are associated with host integration, and if you don't use that, the attack surface is limited.
     
  16. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    Well, there has been open source firmware for ages (http://www.coreboot.org/) to replace proprietary BIOS.
    It's basically a stripped down Linux.

    But we also need Open Source hardware (https://en.wikipedia.org/wiki/Open-source_hardware)

    Of course, current hardware vendors will likely protect their proprietary designs like crown jewels till the bloody end.
    So, untill there comes some new player(s) and some serious competition in this front, then this is probably just going to be a sweet dream....

    *sight* .... :(
    (I would soooo love to make my own 4G USB modem :D)

    BTW, that Kaspersky PDF report seems to list only small subset of all those Equation Groups C&C IP's and domains.
    There seems to be 300 C&C servers out there :eek:
     
  17. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
  18. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
  19. 142395

    142395 Guest

    Yup, most effective firmware malware would be that on disk drive, as firmware malware itself can't do many things so it most probably have to install its body on OS, then to hide OS malware and persistently survive, the best is disk drive.
    Yes, that's correct and part of reason I trust Qubes much more than VBox.
     
  20. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,614
    Location:
    European Union
    The Great SIM Heist
    https://firstlook.org/theintercept/2015/02/19/great-sim-heist/
     
  21. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    :eek::eek::eek:

    Edit: Ah, they did use PGP for e-mail. Should have read the story fully first ...:oops:
    Edit2: or at least one Thailand employee used....

    ...........:blink:
     
    Last edited: Feb 19, 2015
  22. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    The #1 customer for HDD in the world would comfortably be....

    The NSA.

    They just have to fill the Maryland facility with something.

    Doubtless - for lots of good sounding reasons - they would require the HD firmware source code to review before they would place their mega buck orders with their suppliers. And maybe have a few employees in the disk manufacturers to "help" them with their security. And so it goes.

    By the way, is there not a fairly simple OS level prevention (pre-infection), which is to say, any ATA/SCSI instruction outside the normal read-write-trim stuff would require UAC or privilege escalation. Although I guess that does nothing for malware that's already escalated. Maybe we need to build a little Sata controller Pcie card which acts as a sata firewall.
     
  23. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,630
    Location:
    DC Metro Area
    "Secrecy around spy device is case’s undoing"

    An FBI-imposed gag order about the StingRay, a sophisticated surveillance device that mimics cell towers, endangers some criminal cases when its use is questioned by defendants or judges."

    http://www.washingtonpost.com/regional/
     
  24. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    I dont know what the problem is:
    Old System- Police Have Reasonable suspicion > Judicial Review > Warrant Issued > Carrier Provide Warrant > Information Provided to Police
    New System - Police Want Information > Police Activate Stingray > Police Get Information

    Gets rid of the whole wasted process of the judiciary.


    Why did we have the judiciary anyway? ...... oh right the whole separation of powers under the US constitution.
     
  25. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,630
    Location:
    DC Metro Area
    It's a lot more than just about separation of powers - separation of powers was merely a means to a fundamental end. This story is about the guarantees of, our liberty and freedom under the Constitution and Bill of Rights. The 4th Amendment's protecting us from unreasonable search and seizures was written to prevent one of the British' most common abuses that fomented the American Revolutionary War. That is what makes the recent NSA revelations so fundamentally obscene.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.